WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Susan Collins (R-ME) introduced legislation to strengthen the security of U.S. election infrastructure by requiring that voting systems undergo simulated attacks as part of their standard certification process. Specifically, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act would direct the Election Assistance Commission (EAC) to require that systems seeking certification undergo penetration testing, a practice that allows researchers to search for vulnerabilities by attempting to attack a system with the same tools and techniques used by cybercriminals.
“If we’re going to defeat our adversaries, we have to be able to think like they do. The SECURE IT Act would allow researchers to step into the shoes of cybercriminals and uncover vulnerabilities and weaknesses that might not be found otherwise,” said Sen. Warner. “As foreign and domestic adversaries continue to target U.S. democracy, I’m proud to introduce legislation to harness a critical cybersecurity practice that will help safeguard our elections infrastructure.”
“This bipartisan legislation will strengthen the integrity of our election process by ensuring that voting systems are safe and secure,” said Sen. Collins. “It will help protect and bolster public confidence in our elections.”
Current regulations under the Help America Vote Act (HAVA) require the EAC to provide for the testing and certification, decertification, and recertification of voting system hardware and software by accredited laboratories. However, HAVA does not explicitly require penetration testing of voting systems.
This legislation would direct the EAC to require that a voting system undergo cybersecurity penetration testing in order to be certified. It would also direct the EAC and the National Institute of Standards and Technology (NIST) to accredit entities that can perform penetration testing to fulfill the aforementioned requirement. Additionally, the legislation would direct the EAC to create a voluntary Coordinated Vulnerability Disclosure Program for election systems. Under this program, vetted researchers would be given access to voting systems voluntarily provided by manufacturers in order to discover vulnerabilities and disclose them to the manufacturer and EAC.
“This bill will allow independent election system researchers like myself to contribute more fully to maintaining public confidence in our elections. The SECURE IT Act will create a space where researchers and election systems manufacturers can work together to find—and fix—any cybersecurity vulnerability that may exist in our election infrastructure,” said Dr. Juan E. Gilbert, Chair of the Computer & Information Science & Engineering Department at the University of Florida.
“ES&S has long supported and taken part in independent testing of its elections equipment,” said Tom Burt, CEO and president of Election Systems & Software, the largest manufacturer of voting systems in the United States.“Programmatic testing performed by independent security experts helps ensure equipment stays ahead of threats, and it helps increase voter confidence in the overall security of elections. I appreciate Senator Warner’s and Senator Collins’ work to further secure our nation’s elections.”
A copy of the bill is available here and a one-page summary is available here.